package com.jdbc.lesson03;

import com.jdbc.utils.JdbcUtils;

import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;

public class SQLinjection {
    public static void main(String[] args) {
        //PreparedStatement防止SQL注入的本质：把传递进来的参数当作字符
        //假设其中存在转义字符，会被直接转义
        login("'' or 1=1","123456");
    }
    public static void login(String username,String password){
        Connection conn = null;
        PreparedStatement st = null;
        ResultSet rs = null;
        try {
            conn = JdbcUtils.getConnection();
            String sql = "select * from `users` where `NAME`= ? and `password` = ?";
            conn.prepareStatement(sql);
            st.setString(1,username);
            st.setString(2,password);
            rs = st.executeQuery();
            while(rs.next()){
                System.out.println("id:"+rs.getObject("id"));
                System.out.println("NAME:"+rs.getObject("NAME"));
                System.out.println("PASSWORD:"+rs.getObject("PASSWORD"));
                System.out.println("email:"+rs.getObject("email"));
                System.out.println("birthday:"+rs.getObject("birthday"));
                System.out.println("-------------------------");
            }
        } catch (SQLException e) {
            e.printStackTrace();
        }finally {
            JdbcUtils.release(conn,st,rs);
        }
    }
}
